If you thought MD5 was banished from HTTPS encryption, you'd be wrong. It turns out that the fatally weak cryptographic hash function, along with its SHA1 cousin, are still widely used in the TLS protocol that underpins HTTPS. Researchers have devised a series of attacks that exploit the weaknesses to break or degrade key protection provided not only by HTTPS but also other encryption protocols, including IPsec and SSH.